Mythbusting time

Listed in order of importance.

NET-TOOLS. Avoid this unmaintained bugridden tool pile consisting of ifconfig, route and so on under all circumstances.
Use iproute (/sbin/ip et al) instead.

FORWARDING. The act of passing a packet on to another machine.
You cannot forward ports or connections. (They are immovable entities, and each system has its own set.) Operating systems forward single packets at a time.

ROUTING. Based on address/mark/TOS, decides whether packets are delivered locally, or whether they are forwarded. Forwarding and routes can be controlled with `ip route`. Don't forget `sysctl -w net.ipv6.conf.all.forwarding=1 net.ipv4.conf.all.forwarding=1` (there often are distro-level knobs for this).

NETWORK ADDRESS TRANSLATION. Get rid of it.
NAT is not to be confused with routing and/or forwarding.
NAT screws around with your packets, like changing addresses and/or ports, and often breaks end-to-end connectivity.
With nf_nat, a transformation applies to the whole (NFCT) connection, i.e. both directions.

nat TABLE. A configuration database of sorts. Consulted only when convenient — do not rely on a 1:1 packet:lookup ratio.

BLOCKING PORTS. Remember that Xtables actually does not “block ports”, but packets matching certain conditions.

VSERVER/VPS. (Container solutions like OpenVZ/LXC.) Hosting providers often ship an incomplete Xtables (kernel part) setup that you cannot fix because you have no control over it.
Solution: get a dedicated environment where you can choose the kernel image. That can either mean a dedicated server, or something like an (expensive) Amazon EC2 (Xen-based) VM.

VIRTUAL ADDRESSES. No one has ever defined address states like “physical” or “virtual”. Think of it (if you can) — what would be the point of addresses that are not real?

SEND TO DEVICE. You cannot send/forward “to (Ethernet) interfaces/devices”. Every (Ethernet) packet's destination is determined by a destination MAC address.

BIND TO DEVICE. bind(2) binds to addresses, for God's sake. It says so in the manual, and if you still don't believe it, you can check by having an address on multiple interfaces.

The 5-step to getting assistance

  1. State your intention
  2. State your way of accomplishing it (commands issued, etc.)
  3. State what you expected
  4. State what you observed instead
  5. Wait for an answer; don't leave in less than 5 minutes

Posting guidelines

Please use the shown tools whenever possible. Others (like ifconfig) may give incomplete or misleading information — we all had that already. Posting link and route setup may also help us identify that you may have triangle setup that is not actually an iptables problem. (Providing the output of the following commands gives additional information and saves all of us time.)

iptables-save
ip addr
ip route show table all
sysctl -a | grep '^net\.'

Avoid address obfuscation. Quoting our honorable member twb, “as an example, if you changed your "cookie.local" to "cookie.example.net", then I would not realize that you were running into the mDNS-vs.-AD problem”.

Also be patient after having posted the question/problem, especially since we are generally not paid to be your personal express support (but things can be arranged, of course ☺). Leaving the channel after 60 seconds after posting is not going to be useful either.

Now that we have discussed the netiquette, the interesting stuff:

Helpful Guides

For Developers